It was not mentioned if you have root access or not while running this change script, so anything that directly modifies the passwd file (or its moral equivalent) may be out of the question.

From a system safety (locks, race conditions), security (enforcing conditions for passwords in one location on a machine), and process standpoint (who knows if other wrappers have been placed around the passwd process), I would probably try something that can drive the OS-level passwd program on each host. This will probably be slower, however, than pushing a passwd entry out directly to each host.